Troubleshooting Tip: Unlocked user accounts are being locked within 24 hours
Description
The article describes how to unlock a 'locked out' user who is locked out again during the next password expiration check.
Scope
FortiAuthenticator.
Solution
When an administrator unlocks a 'locked out' user without changing the user's password, the user will be locked out again during the next password expiration check, which runs every 24 hours.
There are two ways to resolve this problem.
Either:
- Disable 'Enable password expiry' under Authentication -> User Account Policies -> Passwords -> User Password Change Policy.
Or:
-
Be sure to change a user's password after unlocking the user. See the related KB article for details.
-
To view the locked-out users, go to Monitor -> Authentication -> Locked-out Users.
-
To unlock a user from the list, select the user and select Unlock. The list can be refreshed by selecting Refresh, and searched using the search field.
- Note that there is no command to unlock the locked-out user, like there is in FortiGate. The user must be unlocked in the GUI by navigating to Monitor -> Authentication -> Locked-out Users.
Note: The maximum number of administrator login attempts after which the source IP address is blocked is 3 attempts. The failed login attempts are counted based on the source IP address. The administrator login lockout default time is 60 seconds.
Related documents:
Technical Tip: Force password change for local users
Locked-out users
Troubleshooting Tip: How to debug FortiAuthenticator Services